Terrence August, Marius Florin Niculescu and Hyoduk Shin

Information Systems Research, September, 2014, 25(3), 489-510

Research Questions

As more users are willing to use software as a service (SaaS - applications ran from the cloud), vendors will readily begin developing these offerings for many classes of software applications. From a vendor's perspective, SaaS has many benefits when compared to its on-premises counterpart including significantly lower piracy, reduced distribution costs, and, particularly, greater control over security. For example, with on-premises software, it is difficult to incentivize users to patch their installations when security patches are released, and poor user patching behavior reduces the value of the software vendor's product. For on-premises offerings such as Microsoft Windows, Oracle, and Microsoft IIS, the user network is characterized by a large number of widespread nodes where individual instances of the software are running with many remaining unpatched. Large installed software networks such as these are primary targets for undirected attacks via computer worms and viruses; Code Red, SQL Slammer, Sasser, and Conficker are all examples of malware that spread across vulnerable software networks and caused sizable economic damages.

On the other hand, if a vendor releases a SaaS version of its software product, it can ensure its hosted software always has the latest security patches applied. SaaS offerings tend to be centralized on the provider's servers and are less prone to these undirected attacks. Nevertheless, because of the magnitude of user information located in one place, SaaS may be more susceptible to directed attacks in which individuals with malicious intent specifically target and attack the vendor's systems. Whether software is deployed in a traditional on-premises fashion or in the SaaS paradigm, security attacks on software vulnerabilities will continue to be a challenging problem. Yet, in terms of software security risk management, a trend toward increasing SaaS usage may actually help reduce total risk by diversifying exposure across undirected and directed attacks and limiting the sizes of particular populations that malware can effectively target; this, in turn, may indirectly reduce the incentives of malware developers to target diversified software.

In this paper, we formally examine how a SaaS offering by a software vendor affects the security risk faced by users of his software network and the total value derived from his software product. We study his product differentiation and pricing problem under distinct security externalities in each paradigm and examine how aggregate security risk on the network is affected. To do so, we build a model of consumer behavior that captures their incentives to use either the on-premises or SaaS version of software and, in the case of the former, to patch their individual installations when security vulnerabilities arise. Two important features in our model are that: (i) users of the on-premises alternative who choose not to patch cause negative security externalities on other users, and (ii) all users of the SaaS version cause a negative externality on other users of SaaS by increasing the aggregate likelihood of a directed attack due to increased valuable information stored at a centralized location.

Findings

Using our model, we first study how consumers behave in equilibrium in the face of security externalities and characterize the manner in which they segment across alternatives and patching strategies for varying security-loss environments. We then examine how a software vendor sets prices of his on-premises and SaaS versions to induce profitable usage behavior. In particular, for high security-loss environments, where consumers are at risk of taking large losses if struck by security attacks, we establish that the vendor will cater his SaaS offering to the middle tier of the consumer market but only when both patching costs and the quality of the SaaS alternative are high, thus efficiently splitting on-premises usage characterized by higher valuation patched users and lower valuation unpatched users. Otherwise, he targets his SaaS offering to the lower tier of the consumer market. Because of his incentives to target the lower tier in the latter case, we also demonstrate that social welfare can be improved if he is incentivized to gear it back toward the middle tier.

For low security-loss environments, we again establish that the software vendor sets price to induce usage of both versions which permits a comparison between our results under security externalities and those found in the information goods versioning literature. We show that as long as each of the distinct versions of a given software product has a small amount of idiosyncratic risk stemming from its own user population, then versioning is optimal.

Next, we turn our attention to clarifying the benefits of introducing SaaS alternatives by comparing measures of profitability, social welfare, security risk, and consumer surplus with those obtained under the traditional, on-premises only benchmark. We demonstrate that there are substantial benefits to profit and welfare in high security-loss environments associated with introducing a SaaS alternative, but they are limited in low security-loss ones. Surprisingly, we find that in high security-loss environments, although releasing SaaS often improves aggregate security, in some cases its release can actually increase average per-user security losses - particularly, when patching costs are not too high. Furthermore, consumer surplus can also decrease in such a case if the quality of the SaaS alternative is sufficiently high. Finally, in light of our findings on the merits of introducing SaaS, comparing its benefits to direct reductions in the likelihood of security attacks and the magnitude of patching costs, we demonstrate that the SaaS strategy can be outperformed by reductions in one of these parameters in both sufficiently low and sufficiently high security-loss environments. However, for more moderate ones, the magnitude of the direct cost reduction would need to be quite high, suggesting that the diversification benefits in a SaaS strategy would be preferable.

Invited Talks and Conferences

Eller College of Management, University of Arizona, September 26, 2014

Korea University Business School, Seoul, Korea, September 17, 2014

POMS Annual Conference 2014, Atlanta, GA, May 10, 2014

School of Business and Economics, Westfälische Wilhelms-Universität Münster, Germany, December 10, 2013

INFORMS Annual Meeting 2013, Minneapolis, MN, October 7, 2013

Workshop on the Economics of Information Security 2013, Washington, D.C., June 11, 2013